In recent years, code-injection attacks have become one of the most common forms of attack on modern computer systems. At a high level, code-injection attacks on network services (e.g. file sharing and webservers) and client-based programs (e.g., browsers and document viewers) enable redirection of the flow of execution in the vulnerable program to arbitrary code, called shellcode, which is provided as part of the attack. The injected code often enables unauthorized control of system resources, applications, and data. The key to detecting these attacks lies in accurately discovering the presence of the shellcode being injected into the vulnerable program.
The intent of this research is to design, implement, and deploy a new framework, called ShellOS, that continuously analyzes network streams or program buffers to detect the presence of executable code that may be harmful. The proposed approach addresses the shortcomings of current dynamic analysis techniques that use software-based CPU emulation for detecting shellcode. Unlike previous approaches, this approach takes advantage of hardware virtualization to allow for more efficient and accurate inspection of buffers by directly executing instruction sequences on the CPU. In doing so, this project enables more scalable techniques for protecting cyberinfrastructure against code injection attacks. Where possible, the project also plans to release anonymized forms of detected attacks. The availability of such data can play a significant role in fostering collaboration and ensuring U.S. technical leadership in network security research. The tools created as part of this project will be made available to the broader research community under an open source license.